- From: Miles Sabin <miles@milessabin.com>
- Date: Wed, 30 Oct 2002 23:07:11 +0000
- To: www-tag@w3.org
Chris Lilley wrote, > MS> ... but in at least some cases the very act of attempting > MS> validation will trigger the dangerous behaviour, eg. retrieving an > MS> uncached DTD external subset. > > Okay. Although, accepting the original XML message (if its a > protocol, say) might be just as dangerous. Agreed. Which is why this is a delicate area where guidance is needed: if it seems like you're damned if you do and you're damned if you don't, then you're likely to toss a coin and hope for the best. > MS> Representation retrieval is safe: Agents do not incur obligations > MS> by retrieving a representation. > > Aha. Thanks for being more specific as to the link between the > security alert you posted and the edits to the Arch doc that should > result from your input. Sorry ... I didn't make it anything like clear enough. Cheers, Miles
Received on Wednesday, 30 October 2002 18:07:42 UTC